Keys not trusted
Adrian 'Dagurashibanipal' von Bidder
Tue May 6 07:49:02 2003
Content-Description: signed data
On Tuesday 06 May 2003 02:03, Wolfgang Bornath wrote:
> Being fairly new in this I joined this list and received some messages
> by people who signed their messages. I always imported the keys (using
> the gpg option --auto-key-retrieve) and kmail tells me
> "Message is signed by XY (blahblub) (Key-ID: 0x12345678).
> Signature is valid but the key is not trusted."
This is not a bad thing in itself - it just means that you do not absolutel=
know that you have the person's true public key. It could be just somebody=
posting a public key under their name.
> When I want to send a private mail to somebody like that and I want to
> encrypt the text I see the list of my pubring but all imported keys are
> marked red and I cannot encrypt.
> Only my own public key is marked green and I can use it to send
> encrypted mails to myself (Big Deal!
Hmm. I think kmail has an option to allow you to send encrypted mail to=20
untrusted keys. However, it doesn't make sense since you don't really know=
who you're sending an encrypted mail to. (Of course, for casual use, you c=
usually trust that a published email address if used for some time on maili=
lists with always the same key does correspond to the real person. And, if=
you look at their public key and there's many signatures on the key from=20
other people on the mailing list or other people you know, it's a good chan=
that the key is actually genuine. It's just not that secure if you assume=20
that there's an actual enemy around trying to steal somebody's identity).
> I signed one of those public keys because I know the person and my sig
> is listed but still the same.
It is good practice to really carefully check that you really have the righ=
key (and, if you don't know the person good enough, of course also that you=
have the right person). Personally, I check the fingerprint with people I=20
know. Just a little paranoia there, but with the web of trust idea you have=
other people relying on you doing this check carefully, and an error affect=
not only you but potentially lots of people.
> Could someone explain or point me into the right direction?
You need to build a web of trust - get your key signed by other GPG/PGP use=
and sign their key. http://biglumber.com may list some people in your area,=
and there's also a keysigning mailing list (search the archives or google, =
don't have the address handy right now) where you could ask if there's some=
people in your area. Then you also need to assign trust values to the keys =
you assess how much you trust other people to be careful when they sign a k=
=2D by running gpg --update-trustdb.
I'd reccmmend that you read the documentation on http://gnupg.org, especial=
the chapters about key signing and the Web of Trust:=20
http://www.gnupg.org/gph/en/manual.html; the interesting bits are in chapte=
3 and 4.
Available for key signing in Z=FCrich and Basel, Switzerland
(what's this? Look at http://fortytwo.ch/gpg/intro)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d